Allow to set the permissions of the Unix domain control socket

Several users in GitHub have asked for the ability to set the
permissions of the unitd UNIX Domain control socket.

This can of course be done externally, but can be done much cleaner by
Unit itself.

This commit adds three new options

  --control-mode	Set the mode of the socket, e.g 644

  --control-user	Set the user/owner of the socket, e.g unit

  --control-group	Set the group of the socket, e.g unit

Of course these only have an affect when using a UNIX Domain Socket for
the control socket.

Requested-by: michaelkosir <https://github.com/michaelkosir>
Requested-by: chopanovv <https://github.com/chopanovv>
Link: <https://github.com/nginx/unit/issues/254>
Link: <https://github.com/nginx/unit/issues/980>
Closes: https://github.com/nginx/unit/issues/840
Tested-by: Liam Crilly <liam.crilly@nginx.com>
Reviewed-by: Zhidao Hong <z.hong@f5.com>
Signed-off-by: Andrew Clayton <a.clayton@nginx.com>

3 files changed, 72 insertions, 3 deletions

diff --git a/src/nxt_listen_socket.c b/src/nxt_listen_socket.c
index d477eef1..047c1ef9 100644
--- a/src/nxt_listen_socket.c
+++ b/src/nxt_listen_socket.c
@@ -127,13 +127,23 @@ nxt_listen_socket_create(nxt_task_t *task, nxt_mp_t *mp,
 #if (NXT_HAVE_UNIX_DOMAIN)
 
     if (family == AF_UNIX) {
-        name = (nxt_file_name_t *) sa->u.sockaddr_un.sun_path;
+        const char     *user;
+        const char     *group;
+        nxt_runtime_t  *rt = thr->runtime;
 
-        access = (S_IRUSR | S_IWUSR);
+        name = (nxt_file_name_t *) sa->u.sockaddr_un.sun_path;
+        access = rt->control_mode > 0 ? rt->control_mode : S_IRUSR | S_IWUSR;
 
         if (nxt_file_set_access(name, access) != NXT_OK) {
             goto listen_fail;
         }
+
+        user = rt->control_user;
+        group = rt->control_group;
+
+        if (nxt_file_chown(name, user, group) != NXT_OK) {
+            goto listen_fail;
+        }
     }
 
 #endif
diff --git a/src/nxt_runtime.c b/src/nxt_runtime.c
index 9bfabc75..0e7f879e 100644
--- a/src/nxt_runtime.c
+++ b/src/nxt_runtime.c
@@ -956,6 +956,12 @@ nxt_runtime_conf_read_cmd(nxt_task_t *task, nxt_runtime_t *rt)
 
     static const char  no_control[] =
                        "option \"--control\" requires socket address\n";
+    static const char  no_control_mode[] =
+                        "option \"--control-mode\" requires a mode\n";
+    static const char  no_control_user[] =
+                        "option \"--control-user\" requires a username\n";
+    static const char  no_control_group[] =
+                        "option \"--control-group\" requires a group name\n";
     static const char  no_user[] = "option \"--user\" requires username\n";
     static const char  no_group[] = "option \"--group\" requires group name\n";
     static const char  no_pid[] = "option \"--pid\" requires filename\n";
@@ -984,6 +990,13 @@ nxt_runtime_conf_read_cmd(nxt_task_t *task, nxt_runtime_t *rt)
         "  --control ADDRESS    set address of control API socket\n"
         "                       default: \"" NXT_CONTROL_SOCK "\"\n"
         "\n"
+        "  --control-mode MODE  set mode of the control API socket\n"
+        "                       default: 0600\n"
+        "\n"
+        "  --control-user USER    set the owner of the control API socket\n"
+        "\n"
+        "  --control-group GROUP  set the group of the control API socket\n"
+        "\n"
         "  --pid FILE           set pid filename\n"
         "                       default: \"" NXT_PID "\"\n"
         "\n"
@@ -1032,6 +1045,48 @@ nxt_runtime_conf_read_cmd(nxt_task_t *task, nxt_runtime_t *rt)
             continue;
         }
 
+        if (nxt_strcmp(p, "--control-mode") == 0) {
+            if (*argv == NULL) {
+                write(STDERR_FILENO, no_control_mode,
+                      nxt_length(no_control_mode));
+                return NXT_ERROR;
+            }
+
+            p = *argv++;
+
+            rt->control_mode = strtoul(p, NULL, 8);
+
+            continue;
+        }
+
+        if (nxt_strcmp(p, "--control-user") == 0) {
+            if (*argv == NULL) {
+                write(STDERR_FILENO, no_control_user,
+                      nxt_length(no_control_user));
+                return NXT_ERROR;
+            }
+
+            p = *argv++;
+
+            rt->control_user = p;
+
+            continue;
+        }
+
+        if (nxt_strcmp(p, "--control-group") == 0) {
+            if (*argv == NULL) {
+                write(STDERR_FILENO, no_control_group,
+                      nxt_length(no_control_group));
+                return NXT_ERROR;
+            }
+
+            p = *argv++;
+
+            rt->control_group = p;
+
+            continue;
+        }
+
         if (nxt_strcmp(p, "--user") == 0) {
             if (*argv == NULL) {
                 write(STDERR_FILENO, no_user, nxt_length(no_user));
diff --git a/src/nxt_runtime.h b/src/nxt_runtime.h
index 66ec0106..7bd490d7 100644
--- a/src/nxt_runtime.h
+++ b/src/nxt_runtime.h
@@ -70,8 +70,12 @@ struct nxt_runtime_s {
     const char             *ver_tmp;
     const char             *conf;
     const char             *conf_tmp;
-    const char             *control;
     const char             *tmp;
+    const char             *control;
+
+    mode_t                 control_mode;
+    const char             *control_user;
+    const char             *control_group;
 
     nxt_str_t              certs;
     nxt_str_t              scripts;